[CentOS] Security checklist for new Centos server?

Johnny Hughes johnny at centos.org
Sat Jul 21 17:19:23 UTC 2007


M. Fioretti wrote:
> On Sat, Jul 21, 2007 10:33:14 AM +0200, Ralph Angenendt
> (ra+centos at br-online.de) wrote:
> 
>>> - set up itables (what would the safest iptables script to do all and
>>>   only the services listed above?
>> Depends on from where you want to connect to your imap server. From
>> everywhere?
> 
> yes. More exactly, dovecot must serve both local webmail via
> squirrelmail and my (and other users) home boxes
> 
>> If you only run sshd, imap, postfix and apache I don't really see a
>> need for iptables. But you might want to restrict access to sshd to
>> a few ip addresses if you can.
> 
> Unfortunately, this is not an option. Sorry I forgot to specify it in
> the initial message.
> 
>>> - what else?
>> Don't turn off SELinux.
> 
> Hmmm... I had also forgotten this side of the package. I will be
> running on a rented VPS, can SELinux be used in such contexts?
> 
> Also, frankly I am not up to date on this, but I do remember reading a
> lot of "Just turn off selinux, isn't worth it" and "selinux isn't
> mature/ documented enough yet" in relatively recent times, both on
> Fedora and Centos lists.
> 
> Is this still the case?

It was never the case ... SELinux has been turned on by default by Red
Hat in RHEL4 and RHEL5.

People who say "turn it off" do so because the either don't understand
what it does OR they don't know how to use it.

That said, you don't HAVE to use it.  However, it is another layered
security feature AND the largest enterprise linux outfit in the world
thinks it is very important.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos/attachments/20070721/83c01c9a/signature.bin


More information about the CentOS mailing list